Post on 30-Jan-2021
Exploiting JRE- JRE Vulnerability: Analysis & Hunting
@Hitcon 2013
xye0x01@gmail.comnforest@live.cn
mailto:xye0x01@gmail.commailto:xye0x01@gmail.commailto:nforest@live.cnmailto:nforest@live.cn
About Us
• Xiao Lee(xye0x01),Sen Nie(nforest)• SHANGHAI JIAO TONG UNIVERSITY• Major in Computer Science and
Technology
• J2EE Development/Program Analysis/JRE Vulnerability Research/XSS
Abstract
•Exploiting Applet•JRE Security Components•JRE Vulnerability •Hunting bugs in JRE•What’s next
Exploiting Applet
• JDK/JRE/JVM• Java Applet• • No DEP & ASLR Under JRE 6• Objective: Oracle JRE/Apple JRE/
OpenJDK in Windows/Linux/Mac OS X
Exploiting Applet
5%10%
16%
32%
37%JREAdobe Reader/AcrobatAdobe FlashMS IEOthers
Data from Java als Sicherheitsrisiko by Renato Ettisberger in 2011.
JRE Security Components
Comic from Security Issues of the Sandbox inside Java Virtual Machine (JVM) by Mohammad Shouaib Hashemi in 2010.
Sandbox Restriction
• Read/Write local files• Commands• Socket• Get system properties• Load libraries• ...
JRE Security Components
• Classloader• SecurityManager• doPrivileged block• Reflection• Package Access
ClassLoader
BootStrapClassloader
CustomClassloader
ExtensionClassloader
ApplicationClassloader
Java
C
Java
Java
Trust all the classes it loaded
Security checks
Security checks
Security checks
SecurityManager
• Key component of security checks• null in local Java Applications• sun.applet.AppletSecurity in
Applets by default
• System.setSecurityManager(null)• Find a way setting SecurityManager
to null
doPrivileged block
AccessController.checkPermission()
...
...
...
...
...dangerous()
...
AccessController.checkPermission()
...
...doPrivileged()
...
...dangerous()
...
Function Stack Function Stack
check check
stop
stopException
Reflection
• Get Class/Method/Constructor/Field object of a class
• Field: get/set• Constructor: newInstance• Method: invoke• Java 7: MethodType & MethodHandle
Package Access
• Warnings in IDE like Eclipse• checkPackageAccess before execute• Security.getProperty(“package.acce
ss”)
• Simple but effective
JRE Vulnerability
• API Design Vulnerability• Unsafe use of reflect API• CVE-2012-4681• CVE-2013-2423
• Bugs in Native Code Written by C• Overflow, etc.• CVE-2013-1493
CVE-2012-4681
• sun.awt.SunToolkit.getField
CVE-2012-4681
• java.beans.Statement field “acc”• Statement s = new
Statement(java.lang.System.class, “setSecurityManager”, new Object[] { null });
• s.execute();
CVE-2012-4681
• Privileged “acc”
CVE-2012-4681
• Get private field “acc” with vulnerable method “getField”
• field.set• Construct a “set-securityManager-
null” Statement
• statement.execute()
CVE-2013-2423
• In JVM...• “int” takes 4 bytes• “long” takes 8 bytes• “Object” takes 4 bytes
• Field “Type” in Integer/Long• JVM knows variables’ type according to field
“Type” in class Integer/Long/Float/Double/...
• Type confusion? How?• 1 “int” + 1 “Object” = 1 ”long”
CVE-2013-2423
Step 1. Helper classes
CVE-2013-2423
Step 2. Type confusion
CVE-2013-2423
Step 3. Find & Set
CVE-2013-1493
• What happened if “new int[8GB]” occurs?
• Everything is an Object in OO• Gaining each Object in whole
memory of the JVM
• Exploiting Java big array
CVE-2013-1493java.awt.image.ColorConvertOp.filter
sun.awt.color.ICC_Transform.colorConvert
[native]sun.awt.color.CMM.cmmColorConver
Java_sun_awt_color_CMM_cmmColorConvert...
initImageLayouts...
finishLayoutInitC
CVE-2013-1493
• Create all needed objects• Heap spray (make the theAlphaPtrP
available)
• ColorConvertOp.filter• Find the location of “length” of
bigArray
• Assign 0x7FFFFFFF to “length”
CVE-2013-1493
Hunting bugs in JRE
• Key points to 2 kinds of JRE Vulnerability
• API Design Vulnerability• Bugs in Native Code Written by C
• Target JRE versions• Whitebox auditing / Fuzzing• Discovered bugs & exploitations• Issue #1~#5
Hunting bugs in JRE
• Key points to hunting API Design Vulnerabilities
• Trusted invoke chain• Params for exploiting• Reflection API surround with doPrivileged block
• Key points to hunting Bugs in Native Code Written by C
• Trusted invoke chain• Fuzzing
Hunting API Design Vulnerabilities
• Target JRE versions• OpenJDK 6/7 (available source code)• Reversing of Oracle JRE & Apple JRE (rt.jar; jad)
• Whitebox auditing• Searching for “doPrivileged”• 435 classes in OpenJDK 6• 634 classes in OpenJDK 7• 341 classes in Apple JRE 6u27
Hunting Bugs in Native Code
• Target JRE versions• OpenJDK 7 (available source code)
• Whitebox auditing• Searching for “native”• Taking “invoke chain” into consideration• 65 native API to fuzzing
• Fuzzing• Replacing params for dumb fuzzing
Issue #1
• Discovered in OpenJDK 7-b147• sun.awt.SunToolkit.getSystemProper
ty
• Sensitive info leak
Issue #2
• Discovered in Apple JRE 6u27 under Mac OS X 10.6.8
• com.sun.org.apache.xalan.internal.utils.SecuritySupport.getSystemProperty
• Sensitive info leak
Issue #2
Issue #3
• Discovered in Apple JRE 6u27 under Mac OS X 10.6.8
• com.apple.eio.FileManager.moveToTrash• File probe
Issue #3
Issue #4
• Discovered in Apple JRE 6u27• Exploitable under Oracle JRE 7u5 as well
(Windows or Mac OS X)
• com.sun.org.apache.xalan.internal.utils.ObjectFactory.findProviderClass
• Getting any class object
Issue #5
• Discovered in Oracle JRE 7u5• sun.java2d.DefaultDisposerRecord.invokeNa
tiveDispose
• Taking over of EIP & EAX• Class.forName in trusted code is needed
Call This Address(EIP)
Get data (EAX)
Exploit of Issue #4+#5
• Expression of findProviderClass• Gaining class object of
invokeNativeDispose
• Heap spray: new byte[large]• Filling shellcode• Assigning EIP param
Demo
What’s Next
• Bypass “click-and-play” after 7u9• Social Engineering• Load “.ser” file under Oracle JRE 7u10
• File type resolving bugs in native code
• Pwn2own 2013. Java Memory Corruption in resolving “.otf” files
• Smart Fuzzing & Program Analysis
https://community.rapid7.com/community/metasploit/blog/2013/02/25/java-abused-in-the-wild-one-more-timehttps://community.rapid7.com/community/metasploit/blog/2013/02/25/java-abused-in-the-wild-one-more-timehttp://blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruptionhttp://blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruptionhttp://blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruptionhttp://blog.accuvantlabs.com/blog/jdrake/pwn2own-2013-java-7-se-memory-corruption
Reference
• OpenJDK• Java als Sicherheitsrisiko. Renato Ettisberger.
2011.
• Security Issues of the Sandbox inside Java Virtual Machine(JVM). Mohammad Shouaib Hashemi. 2010.
• Security Vulnerabilities in Java SE. Security Explorations. 2012.
• Inside the Java2 Virtual Machine. Bill Venners. 2000.
• Comparing Java and .NET Security. Nathanael Paul, David Evans. 2006.
http://openjdk.java.net/http://openjdk.java.net/http://www.switch.ch/export/sites/default/all/cert/downloads/presentations/_files_presentations/Java_als_Risiko.pdfhttp://www.switch.ch/export/sites/default/all/cert/downloads/presentations/_files_presentations/Java_als_Risiko.pdfhttp://www.switch.ch/export/sites/default/all/cert/downloads/presentations/_files_presentations/Java_als_Risiko.pdfhttp://www.switch.ch/export/sites/default/all/cert/downloads/presentations/_files_presentations/Java_als_Risiko.pdfhttps://publications.theseus.fi/bitstream/handle/10024/17282/Hashemi_Shouaib.pdfhttps://publications.theseus.fi/bitstream/handle/10024/17282/Hashemi_Shouaib.pdfhttps://publications.theseus.fi/bitstream/handle/10024/17282/Hashemi_Shouaib.pdfhttps://publications.theseus.fi/bitstream/handle/10024/17282/Hashemi_Shouaib.pdfhttp://www.security-explorations.com/materials/se-2012-01-report.pdfhttp://www.security-explorations.com/materials/se-2012-01-report.pdfhttp://www.security-explorations.com/materials/se-2012-01-report.pdfhttp://www.security-explorations.com/materials/se-2012-01-report.pdfhttp://www.amazon.com/Inside-Java-2-Virtual-Machine/dp/0071350934/ref=sr_1_1?ie=UTF8&qid=1372906118&sr=8-1&keywords=inside+the+java+virtual+machinehttp://www.amazon.com/Inside-Java-2-Virtual-Machine/dp/0071350934/ref=sr_1_1?ie=UTF8&qid=1372906118&sr=8-1&keywords=inside+the+java+virtual+machinehttp://www.amazon.com/Inside-Java-2-Virtual-Machine/dp/0071350934/ref=sr_1_1?ie=UTF8&qid=1372906118&sr=8-1&keywords=inside+the+java+virtual+machinehttp://www.amazon.com/Inside-Java-2-Virtual-Machine/dp/0071350934/ref=sr_1_1?ie=UTF8&qid=1372906118&sr=8-1&keywords=inside+the+java+virtual+machinehttp://www.cs.virginia.edu/~evans/pubs/cs06/http://www.cs.virginia.edu/~evans/pubs/cs06/http://www.cs.virginia.edu/~evans/pubs/cs06/http://www.cs.virginia.edu/~evans/pubs/cs06/
Acknowledgement
• Professors and partners in our lab• Researchers in security community• Everybody who shared their paper
on the Internet
Thank you!Q&A